Bug#939890: buster-pu: package rpcbind/1.2.5-0.3+deb10u1
>>>>> "Sam" == Sam Hartman <hartmans@debian.org> writes:
>>>>> "Josue" == Josue Ortega <josue@debian.org> writes:
Josue> On Mon, Sep 09, 2019 at 08:27:31PM -0400, Sam Hartman wrote:
>>> What are the security implications of enabling this configure
>>> flag?
Josue> Enabling this flag lets rpcbind to open random listening
Josue> ports. This would make firewalling very hard. (Default
Josue> behavior prior version 1.2.5)
>>> Why is it off by default?
Josue> Upstream set it off by default since they claimed about
Josue> customers complaining about this behavior and supposedly it's
Josue> not widely used. Check [1] for more details.
Josue> Debian users running NIS services in Buster have reported
Josue> breakage in their system due the lack of the remote call
Josue> functionality.
Sam> For the stable release managers. This change reverts a
Sam> security feature introduced upstream designed to make rpcbind
Sam> easier to firewall and reduce the attack surface of rpcbind.
FYI, I am *not* wearing my DPL hat in this conversation.
If anything I'm wearing my Kerberos maintainer hat, hoping that things
like nfs configured in a secure configuration remain secure.
Reply to: